Daily Brief

The UK government is initiating changes to the Computer Misuse Act to support ethical hacking, recognizing its importance in combating cybercrime. Current laws do not adequately protect cybersecurity researchers, limiting their ability to test live infrastructure without legal risk. The initiative aims to transform ethical hacking into a high-status profession, encouraging more individuals to enter the field. Challenges include a shortage of cybersecurity researchers and the need for structured pathways to attract and train new talent. Proposed changes include creating accessible environments for ethical hacking, akin to a learner's driving license, to ensure responsible practice. The initiative seeks to increase collaboration between ethical hackers and organizations, enhancing security through proactive testing. This approach could significantly reduce cybercrime costs and improve overall cybersecurity resilience by fostering a culture of ethical hacking.

Seqrite Labs has identified Operation MoneyMount-ISO, a phishing campaign targeting Russian finance and accounting sectors, delivering Phantom Stealer malware via malicious ISO images. The campaign uses fake payment confirmation emails with ZIP attachments, which contain ISO files that mount as virtual CD drives to execute the malware. Phantom Stealer extracts sensitive data, including cryptocurrency wallet information, browser passwords, and credit card details, while evading detection in virtualized environments. Data is exfiltrated using Telegram bots or Discord webhooks, and files can be transferred to an FTP server, posing significant data security risks. Parallel campaigns, such as DupeHike, target Russian HR and payroll departments with DUPERUNNER malware, leveraging Adaptix C2 for command-and-control operations. The Russian aerospace sector has faced attacks attributed to Ukrainian-aligned hacktivists, using compromised email servers to distribute spear-phishing messages. These campaigns are part of broader efforts to exploit entities linked to Russia's military, reflecting geopolitical tensions and the impact of Western sanctions.

CyberVolk, a pro-Russian hacktivist group, launched VolkLocker, a ransomware-as-a-service targeting Windows and Linux systems, with a significant flaw enabling free decryption. SentinelOne discovered that VolkLocker’s master keys are hard-coded and stored in plaintext, allowing victims to recover encrypted files without paying ransom. The ransomware uses AES-256 encryption and attempts privilege escalation, reconnaissance, and system enumeration, while also modifying Windows Registry and deleting shadow copies. Despite its encryption capabilities, a design error in VolkLocker leaves the master key in a temporary folder, facilitating self-recovery by affected users. CyberVolk manages its RaaS operations via Telegram, charging between $800 and $2,200, and has expanded its offerings to include remote access trojans and keyloggers. The group has faced repeated bans on Telegram but continues to operate, reflecting a trend among politically-motivated actors leveraging convenient platforms for cybercrime. Businesses should remain vigilant against ransomware threats and consider this case as a reminder of the importance of robust cybersecurity measures and incident response plans.

Coupang's CEO, Park Dae-joon, resigned after a significant data breach exposed information on over 30 million customers, impacting more than half of South Korea's population. The breach has raised serious concerns about data privacy and security practices within the company, prompting a leadership change to address the fallout. Coupang has appointed Harold Rogers, Chief Administrative Officer and General Counsel, as interim CEO to steer the company through the recovery phase. The company has publicly apologized and committed to enhancing its information security measures to prevent future incidents and regain customer trust. This incident underscores the critical need for robust cybersecurity frameworks in protecting sensitive customer data in the e-commerce sector. The breach serves as a stark reminder of the potential reputational and operational impacts of inadequate data protection strategies.

The UK's National Cyber Security Centre (NCSC) emphasizes strategic deployment of cyber deception tools, such as honeypots, to enhance threat intelligence and system visibility. Improperly configured cyber deception tools can generate misleading data or inadvertently create vulnerabilities, necessitating a clear implementation strategy. NCSC's findings suggest that openly using deception tools can deter attackers by increasing their operational costs and reducing their confidence. The NCSC is developing services to assist organizations in effectively investing in and deploying cyber deception technologies as part of modern defense strategies. Ox Security revealed vulnerabilities in AI platforms Cursor and AWS Bedrock, where weak default settings allowed unauthorized budget changes and API token leaks. Spanish police arrested a 19-year-old linked to the theft of 64 million personal records from nine companies, highlighting ongoing data breach risks. Polish authorities detained three Ukrainian nationals suspected of possessing tools capable of targeting strategic IT systems, reflecting the persistent threat of mobile cybercriminal groups. CISA's 2025 vulnerability list ranks cross-site scripting as the top software weakness, urging prioritization of its detection and remediation.

Cybercriminals are exploiting PayPal's "Subscriptions" feature to send legitimate emails with fake purchase notifications, causing alarm among recipients. The scam uses modified customer service URLs to display false purchase details, tricking users into believing they bought expensive items like iPhones or MacBooks. These emails, appearing to originate from PayPal's official address, bypass security and spam filters, leading recipients to fear account compromise. The scam's goal is to deceive recipients into calling a fraudulent support number, potentially leading to bank fraud or malware installation. Investigations reveal scammers may exploit a flaw in PayPal's subscription metadata handling or use an API to inject invalid data. PayPal is aware of the issue but has not disclosed specific remediation steps, urging users to remain vigilant against unexpected messages. Users are advised to verify account activity directly through PayPal's website and avoid interacting with suspicious emails or phone numbers.

CyberVolk, a pro-Russia hacktivist group, launched VolkLocker, a ransomware-as-a-service targeting Linux/VMware ESXi and Windows systems, but faced setbacks due to cryptographic flaws. SentinelOne researchers identified a critical implementation flaw in VolkLocker, allowing victims to decrypt files for free using a hardcoded master key found in plaintext on affected machines. The ransomware uses AES-256 encryption with a 32-bit master key, which is improperly managed, as the key is stored in a plaintext file, undermining its security. CyberVolk's operations include DDoS and ransomware attacks against entities opposing Russia, with the group resurfacing in August 2025 after previous disruptions. Despite the cryptographic weakness, the group continues to market additional malware, including a remote access trojan and keylogger, each priced at $500. The public disclosure of VolkLocker's flaw might prompt threat actors to rectify the issue, though it provides temporary relief to current victims. SentinelOne's decision to disclose the flaw publicly was based on its nature as a testing artifact, not a core encryption vulnerability, highlighting operational incompetence.

CISA has added a critical flaw in Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities catalog due to active exploitation reports. The vulnerability, CVE-2018-4063, allows remote code execution via a specially crafted HTTP request, posing significant security risks. Initially disclosed by Cisco Talos in 2019, the flaw affects the ACEManager "upload.cgi" function in firmware version 4.9.3, enabling unauthorized file uploads. Attackers can exploit this flaw by sending authenticated HTTP requests to upload files with executable permissions, running with elevated privileges. Recent analyses show industrial routers are frequent targets, with threat actors attempting to deploy malware such as RondoDox and Redtail. A threat cluster named Chaya_005 exploited this flaw in early 2024, but it is currently assessed as a low-level threat. Federal agencies are advised to update affected devices by January 2026 or discontinue use, as the product has reached end-of-support status.

Apple released security updates for multiple operating systems and Safari to address two WebKit vulnerabilities actively exploited in the wild. The vulnerabilities, affecting iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari, were part of sophisticated attacks on specific targeted individuals. CVE-2025-14174, an out-of-bounds memory access flaw in the ANGLE library's Metal renderer, was also patched by Google in Chrome earlier this week. Apple's Security Engineering and Architecture team, alongside Google's Threat Analysis Group, identified and reported the vulnerabilities. The flaws potentially facilitated mercenary spyware attacks, impacting all third-party web browsers on iOS and iPadOS, including Chrome, Edge, and Firefox. These updates mark the ninth zero-day vulnerabilities Apple has patched in 2025, underscoring the ongoing threat landscape and need for timely updates. Organizations and users are urged to apply these updates immediately to mitigate potential security risks and protect against targeted exploitation.

Apple released emergency updates to address two zero-day vulnerabilities, CVE-2025-43529 and CVE-2025-14174, exploited in targeted attacks on pre-iOS 26 devices. CVE-2025-43529 involves a WebKit use-after-free flaw allowing remote code execution via malicious web content, discovered by Google’s Threat Analysis Group. CVE-2025-14174, a WebKit memory corruption issue, was identified by both Apple and Google’s Threat Analysis Group, affecting a range of iPhone and iPad models. Google also patched CVE-2025-14174 in Chrome, indicating a coordinated disclosure effort with Apple to mitigate the threat. Targeted attacks suggest the use of sophisticated spyware, emphasizing the importance of timely security updates to protect vulnerable devices. Apple has addressed seven zero-day vulnerabilities in 2025, reflecting ongoing efforts to secure its ecosystem against emerging threats. Users are advised to install the latest updates promptly to safeguard against potential exploitation of these vulnerabilities.

A zero-day vulnerability in Microsoft's Windows Remote Access Connection Manager (RasMan) allows unprivileged users to crash the service, leading to potential denial-of-service attacks. Researchers from 0patch identified the flaw while investigating a related vulnerability, CVE-2025-59230, which was previously patched by Microsoft after being exploited by attackers. The vulnerability remains unpatched by Microsoft, with no official timeline for a fix, although an unofficial patch is available through 0patch. The exploit, circulating online, has not been detected by malware engines, raising concerns about potential misuse by malicious actors. The flaw stems from a coding issue in processing circular linked lists, causing a memory access violation and service crash. ACROS Security CEO Mitja Kolsek has informed Microsoft of the vulnerability, but no feedback or CVE assignment has been received. Organizations are advised to implement the unofficial patch from 0patch to mitigate the risk until an official update is available.

Cybersecurity researchers discovered PyStoreRAT, a JavaScript-based Remote Access Trojan, distributed via GitHub-hosted Python repositories disguised as development utilities and OSINT tools. The campaign uses GitHub's trust to deceive users into executing malicious loader stubs, initiating infection chains through remote HTML Application (HTA) payloads. PyStoreRAT is modular, capable of executing various file types, and includes an information stealer targeting cryptocurrency wallets like Ledger Live and Trezor. Threat actors employ social media to promote these repositories, artificially boosting their visibility on GitHub's trending lists to attract analysts and developers. The malware evades detection by profiling systems, checking for antivirus products, and using Falcon-aware evasion logic, complicating early-stage detection by EDR solutions. Persistence is achieved through a scheduled task disguised as an NVIDIA app update, while external servers provide further commands for execution. Indicators suggest the threat actor may originate from Eastern Europe, with Russian-language artifacts observed in the campaign's coding patterns. The emergence of PyStoreRAT emphasizes the need for vigilance in verifying the legitimacy of open-source tools and repositories, highlighting ongoing threats in the cybersecurity landscape.

Coupang, South Korea's largest online retailer, experienced a significant data breach affecting 33.7 million customers, revealing personal data such as names, emails, addresses, and order information. The breach was traced to a former employee who retained access to internal systems post-departure, highlighting potential internal security oversight. The breach occurred in June 2025 but was only discovered in November, prompting an internal investigation and subsequent police involvement. The Seoul Metropolitan Police Agency conducted a raid on Coupang's offices, gathering evidence to determine the breach's extent and the company's potential liability. Coupang's CEO resigned following the incident, marking it as the most severe cybersecurity breach in South Korean history and raising questions about corporate accountability. The breach has led to increased phishing activity, affecting a significant portion of the population, with numerous reports of Coupang impersonation attempts. Authorities continue to investigate, focusing on internal documents, logs, and access histories to understand the breach mechanics and prevent future incidents.

Recent vulnerabilities in React Server Components include two denial-of-service flaws and a source-code exposure issue, affecting versions 19.0.0 to 19.2.2, necessitating immediate updates. CVE-2025-55184 and CVE-2025-67779, both high-severity DoS bugs, can hang servers through crafted HTTP requests, impacting performance and accessibility. CVE-2025-55183, a medium-severity flaw, risks exposing hardcoded secrets via malicious HTTP requests, though runtime secrets remain secure. These vulnerabilities were discovered by researchers RyotaK, Shinsaku Nomura, and Andrew MacPherson, who reported them to Meta, the library's creator. The earlier React2Shell vulnerability, CVE-2025-55182, remains a concern despite previous patches, with ongoing exploitation by actors from North Korea and China. Organizations must update to the latest patches as previous fixes are incomplete, similar to the widespread impact seen with the Log4Shell vulnerability. Over 50 organizations have been affected by React2Shell, with potential for further compromise if immediate action is not taken to address these new vulnerabilities.

Bitdefender researchers identified a fake torrent for "One Battle After Another" containing malware hidden in subtitle files, exploiting interest in the newly released film. The torrent file includes a malicious PowerShell script embedded within subtitle files, which activates upon executing a shortcut file disguised as a movie launcher. Once activated, the script reconstructs additional PowerShell scripts that check for Windows Defender, install Go, and deploy the Agent Tesla RAT payload. Agent Tesla, active since 2014, is a Windows-based Remote Access Trojan used to steal credentials and capture screenshots, known for its reliability and ease of use. The infection chain is noted for its complexity and stealth, making it difficult for users to detect the malicious activity until it's too late. Bitdefender advises against downloading torrents from unknown sources due to the high risk of malware, as seen in similar cases with other popular movie titles. This incident serves as a reminder of the persistent threat posed by cybercriminals exploiting popular media content to distribute malware.